l4-hurd
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: capability interface for idl4


From: Jonathan S. Shapiro
Subject: Re: capability interface for idl4
Date: Fri, 07 Oct 2005 09:32:32 -0400

On Fri, 2005-10-07 at 13:05 +0200, Simon Nieuviarts wrote:
> > I think anything protected by sparsity is fundamentally flawed and
> > unacceptable, especially for something as critical as the kernel.
> >
> > Of course I'm not the one whose acceptance it needs, though. ;-)
> 
> Hi,
> 
> I don't know the typical probability of a logical gate to erroneously 
> flipping 
> a bit.

It depends on the wattage of the hair dryer you point at it.

A paper was published two years ago investigating hairdryer-induced heat
for the Java security model. The outcome is quite bad, and it appears to
apply to runtime-based security in general. The bad part isn't the hair
dryer. The bad part is that a single bit error is enough to compromise
the entire runtime-based security model.

Random particle hits generate single bit errors in your computer several
times a year.

> But I consider that if the the probability of such an hardware error 
> is higher than the probability of a false sparsity match, then relying on 
> this sparsity may be a right choice.

Hopefully, my previous note will lead you to reconsider this.

> Anyway, not relying on sparsity at all (if possible) is still a better 
> design. 
> I'm not yet familiar enough with capabilities to know if it is possible.

It is better, and it is possible, and there are several working systems
that show how to do it.

shap





reply via email to

[Prev in Thread] Current Thread [Next in Thread]